The NotPetya attack: What it teaches us about cyber survival
In June 2017, the world witnessed one of the most destructive cyberattacks in history: the NotPetya attack. Unlike traditional ransomware, NotPetya was a wiper. Once it infected a system, recovery was impossible. The ransom demand was a ruse because no decryption keys were ever made available. The true intent of the attackers was to cause disruption and damage.
Nearly a decade later, NotPetya is considered a turning point in how organizations approach backup and recovery. The threat has only grown. The 2025 Data Breach Investigations Report by Verizon found that ransomware was present in 44% of breaches, marking a 37% year-over-year increase.
How NotPetya spread so effectively
The breach originated at Linkos Group, a Ukrainian accounting software company, where attackers compromised an update of its widely used product, M.E.Doc. When customers installed what appeared to be a legitimate software update, they unknowingly deployed malware into their networks.
It then rapidly spread using EternalBlue, an exploit developed by the National Security Agency and later leaked by a hacker group called the Shadow Brokers. The exploit targeted a vulnerability in Microsoft Windows and allowed the malware to move laterally across unpatched systems. It also harvested user credentials to accelerate its spread. Instead of encrypting files for ransom, NotPetya overwrote the master boot record, making recovery nearly impossible without secure backups.
The major organizations affected included the Ukrainian government, Maersk, Merck & Co., FedEx, Mondelēz International, Saint-Gobain, Reckitt Benckiser, and Rosneft. The White House estimated that the total global damages were approximately $10 billion.
Maersk’s 7-minute collapse
No organization was more visibly affected than Maersk, the Danish shipping conglomerate that controlled roughly 18% of global container shipping at the time. Within seven minutes of infection, its global network went down. About 45,000 PCs, 4,000 servers, and 76 port terminals were impacted, resulting in losses exceeding $300 million.
What made recovery possible was not a deliberate disaster recovery strategy but an extraordinary stroke of luck. During the attack, a power outage in Ghana had taken one of Maersk’s domain controllers offline. That server contained the intact copy of its Active Directory environment. The copy was flown from Ghana to the United Kingdom and became the foundation for rebuilding the company’s identity infrastructure. Without that power outage, Maersk’s recovery would have been significantly more complicated and time-consuming.
Why traditional backup architectures failed
Maersk had backups, but they were connected to the network. The malware reached and destroyed them just as easily as the primary data. This exposed a critical flaw in traditional backup architectures. If backups are accessible from the infected network, they are equally vulnerable to attacks.
Ransomware and other malware today specifically target backup solutions, ensuring victims have no recourse. An air-gapped, immutable backup mitigates ransomware attacks because these backups cannot be modified, encrypted, or deleted. Even if the network is compromised, clean recovery points remain intact.
The lasting lesson
The NotPetya attack was not an isolated event. It showed how a compromised update could trigger a global operational crisis and that backups alone are not enough. If backups can be altered or deleted during an attack, they provide no real security. Organizations must implement and follow a comprehensive backup and recovery strategy aligned with industry best practices.
Know your recovery gaps before attackers do
Don't wait for a crisis to find out if your backup and recovery strategy is truly ransomware-proof. Take the recovery readiness assessment, a comprehensive evaluation designed to identify gaps in your current backup posture, test your recovery capabilities against real-world attack scenarios, and help you ensure your critical data is protected at all times.
